The following Fedora 38 Security updates need testing: Age URL 125 https://bodhi.fedoraproject.org/updates/FEDORA-2023-aaa2b3d20b containerd-1.6.23-1.fc38 38 https://bodhi.fedoraproject.org/updates/FEDORA-2023-13b03a90f9 python-pillow-9.5.0-2.fc38 16 https://bodhi.fedoraproject.org/updates/FEDORA-2023-ec02e360af tigervnc-1.13.1-9.fc38 xorg-x11-server-1.20.14-28.fc38 11 https://bodhi.fedoraproject.org/updates/FEDORA-2023-0583eedde7 python3-docs-3.11.7-1.fc38 python3.11-3.11.7-2.fc38 6 https://bodhi.fedoraproject.org/updates/FEDORA-2023-55800423a8 libssh-0.10.6-2.fc38 5 https://bodhi.fedoraproject.org/updates/FEDORA-2023-540de58d84 slurm-22.05.11-2.fc38
The following Fedora 38 Critical Path updates have yet to be approved: Age URL 63 https://bodhi.fedoraproject.org/updates/FEDORA-2023-06dd18eecb go-rpm-macros-3.3.0-1.fc38 go2rpm-1.10.0-1.fc38 21 https://bodhi.fedoraproject.org/updates/FEDORA-2023-cf471b70ab dnf5-5.1.9-1.fc38 18 https://bodhi.fedoraproject.org/updates/FEDORA-2023-adae9be596 podman-4.8.2-1.fc38 16 https://bodhi.fedoraproject.org/updates/FEDORA-2023-ec02e360af tigervnc-1.13.1-9.fc38 xorg-x11-server-1.20.14-28.fc38 12 https://bodhi.fedoraproject.org/updates/FEDORA-2023-aeccf7b447 selinux-policy-38.31-1.fc38 11 https://bodhi.fedoraproject.org/updates/FEDORA-2023-6fe52eb932 bubblewrap-0.8.0-1.fc38 11 https://bodhi.fedoraproject.org/updates/FEDORA-2023-b9c9759573 zchunk-1.4.0-1.fc38 11 https://bodhi.fedoraproject.org/updates/FEDORA-2023-0583eedde7 python3-docs-3.11.7-1.fc38 python3.11-3.11.7-2.fc38 8 https://bodhi.fedoraproject.org/updates/FEDORA-2023-e0f7ba1715 java-17-openjdk-17.0.9.0.9-3.fc38 6 https://bodhi.fedoraproject.org/updates/FEDORA-2023-55800423a8 libssh-0.10.6-2.fc38 5 https://bodhi.fedoraproject.org/updates/FEDORA-2023-b36c0fa1f0 gstreamer1-plugins-bad-free-1.22.8-2.fc38 gstreamer1-plugins-ugly-free-1.22.8-2.fc38 1 https://bodhi.fedoraproject.org/updates/FEDORA-2023-39adf0978d aom-3.8.0-1.fc38 1 https://bodhi.fedoraproject.org/updates/FEDORA-2023-8e06012c49 distribution-gpg-keys-1.99-1.fc38 0 https://bodhi.fedoraproject.org/updates/FEDORA-2023-34e8c6d11a libqalculate-4.9.0-1.fc38 qalculate-gtk-4.9.0-1.fc38 qalculate-qt-4.9.0-1.fc38 0 https://bodhi.fedoraproject.org/updates/FEDORA-2023-0f11e872d3 xfce4-settings-4.18.4-1.fc38 0 https://bodhi.fedoraproject.org/updates/FEDORA-2023-f85b2263e4 bluez-5.71-2.fc38
The following builds have been pushed to Fedora 38 updates-testing
ibus-typing-booster-2.24.10-1.fc38 perl-Spreadsheet-ParseExcel-0.6600-1.fc38 python-aiohttp-3.9.1-1.fc38 python-datalad-0.19.5-1.fc38 python-gbulb-0.6.4-1.fc38 python-pysqueezebox-0.5.5-11.fc38 python-qudida-0.0.4-1.fc38 python-wled-0.4.4-11.fc38 simpleini-4.22-1.fc38 timew-1.7.0-1.fc38 wl-mirror-0.15.0-1.fc38
Details about builds:
================================================================================ ibus-typing-booster-2.24.10-1.fc38 (FEDORA-2023-42e4b64dca) A completion input method -------------------------------------------------------------------------------- Update Information:
Update to 2.24.10 Update the preedit to empty right after deleting surrounding text when reopening a preedit (Resolves: https://github.com/mike-fabian/ibus- typing-booster/issues/474) Improve do_reset() (Resolves: https://github.com/mike-fabian/ibus-typing-booster/issues/473) (Resolves: https://github.com/mike-fabian/ibus-typing-booster/issues/474) Fix _record_in_database_and_push_context() Avoid updating the preedit to empty or hiding it if the preedit is already hidden or empty Do not pass through a key release event if the corresponding key press event was handled Remove two probably redundant calls to get_surrounding_text() Hide and clear lookup table and aux in _update_ui_empty_input_try_completion() if no candidates are found Make self._ibus_event_sleep_seconds settable via gsettings Avoid more duplicate calls of _update_preedit() (Resolves: https://github.com/mike-fabian/ibus- typing-booster/issues/473) (Resolves: https://github.com/mike-fabian/ibus- typing-booster/issues/474) Fix disappearing first characters or words in the web clients of WhatsApp and Telegram used in Firefox (Resolves: https://github.com/mike-fabian/ibus-typing-booster/issues/473) Update emoji annotations from CLDR -------------------------------------------------------------------------------- ChangeLog:
* Fri Dec 29 2023 Mike FABIAN mfabian@redhat.com - 2.24.10-1 - Update to 2.24.10 - Update the preedit to empty right after deleting surrounding text when reopening a preedit (Resolves: https://github.com/mike-fabian/ibus-typing-booster/issues/474) - Improve do_reset() (Resolves: https://github.com/mike-fabian/ibus-typing-booster/issues/473) (Resolves: https://github.com/mike-fabian/ibus-typing-booster/issues/474) - Fix _record_in_database_and_push_context() - Avoid updating the preedit to empty or hiding it if the preedit is already hidden or empty - Do not pass through a key release event if the corresponding key press event was handled - Remove two probably redundant calls to get_surrounding_text() - Hide and clear lookup table and aux in _update_ui_empty_input_try_completion() if no candidates are found - Make self._ibus_event_sleep_seconds settable via gsettings - Avoid more duplicate calls of _update_preedit() (Resolves: https://github.com/mike-fabian/ibus-typing-booster/issues/473) (Resolves: https://github.com/mike-fabian/ibus-typing-booster/issues/474) - Fix disappearing first characters or words in the web clients of WhatsApp and Telegram used in Firefox (Resolves: https://github.com/mike-fabian/ibus-typing-booster/issues/473) - Update emoji annotations from CLDR --------------------------------------------------------------------------------
================================================================================ perl-Spreadsheet-ParseExcel-0.6600-1.fc38 (FEDORA-2023-84d3cc47b1) Extract information from an Excel file -------------------------------------------------------------------------------- Update Information:
Fix for CVE-2023-7101 (unvalidated input can lead to arbitrary code execution vulnerability). -------------------------------------------------------------------------------- ChangeLog:
* Sat Dec 30 2023 Paul Howarth paul@city-fan.org - 0.6600-1 - Update to 0.66 - Fix for CVE-2023-7101 (unvalidated input can lead to arbitrary code execution vulnerability) https://github.com/runrig/spreadsheet-parseexcel/issues/33 - Use author-independent source URL - Use SPDX-format license tag - No longer need to fix document file permissions - Fix permissions verbosely - Don't assume "pm" suffix on manpage files * Fri Jul 21 2023 Fedora Release Engineering releng@fedoraproject.org - 0.6500-35 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild -------------------------------------------------------------------------------- References:
[ 1 ] Bug #2255871 - CVE-2023-7101 perl-Spreadsheet-ParseExcel: unvalidated input can lead to arbitrary code execution vulnerability https://bugzilla.redhat.com/show_bug.cgi?id=2255871 --------------------------------------------------------------------------------
================================================================================ python-aiohttp-3.9.1-1.fc38 (FEDORA-2023-1f06098c71) Python HTTP client/server for asyncio -------------------------------------------------------------------------------- Update Information:
Security fix for CVE-2023-49081, CVE-2023-49082. Update `python-aiohttp` to 3.9.1. Patch `python-pysqeezebox` and `python-wled` so they do not have an implicit dependency on `python-async-timeout` via `python-aiohttp`. https://github.com/aio-libs/aiohttp/releases/tag/v3.9.0 https://github.com/aio- libs/aiohttp/releases/tag/v3.9.1 -------------------------------------------------------------------------------- ChangeLog:
* Thu Nov 30 2023 Benjamin A. Beasley code@musicinmybrain.net - 3.9.1-1 - Update to 3.9.1 (fix RHBZ#2252236, fix RHBZ#2252249) - Fixes CVE-2023-49081 and CVE-2023-49082 -------------------------------------------------------------------------------- References:
[ 1 ] Bug #2252236 - TRIAGE CVE-2023-49081 python-aiohttp: aiohttp: HTTP request modification [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2252236 [ 2 ] Bug #2252249 - TRIAGE CVE-2023-49082 python-aiohttp: aiohttp: CRLF injection if user controls the HTTP method using aiohttp client [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2252249 [ 3 ] Bug #2253439 - python-pysqueezebox: Please merge rawhide back to f39 and f38 https://bugzilla.redhat.com/show_bug.cgi?id=2253439 [ 4 ] Bug #2253440 - python-wled: Please merge rawhide back to f39 and f38 https://bugzilla.redhat.com/show_bug.cgi?id=2253440 [ 5 ] Bug #2254945 - deprecation warning: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal https://bugzilla.redhat.com/show_bug.cgi?id=2254945 --------------------------------------------------------------------------------
================================================================================ python-datalad-0.19.5-1.fc38 (FEDORA-2023-96c711debd) Keep code, data, containers under control with git and git-annex -------------------------------------------------------------------------------- Update Information:
Update to 0.19.5: https://github.com/datalad/datalad/releases/tag/0.19.5 -------------------------------------------------------------------------------- ChangeLog:
* Thu Dec 28 2023 Packit hello@packit.dev - 0.19.5-1 - [packit] 0.19.5 upstream release - Resolves rhbz#2256119 -------------------------------------------------------------------------------- References:
[ 1 ] Bug #2256119 - python-datalad-0.19.5 is available https://bugzilla.redhat.com/show_bug.cgi?id=2256119 --------------------------------------------------------------------------------
================================================================================ python-gbulb-0.6.4-1.fc38 (FEDORA-2023-314b47d0b6) GLib event loop for tulip (PEP 3156) -------------------------------------------------------------------------------- Update Information:
Initial import; Fixes: RHBZ#2195957 -------------------------------------------------------------------------------- ChangeLog:
* Sat Dec 30 2023 Davide Cavalca dcavalca@fedoraproject.org - 0.6.4-1 - Initial import; Fixes: RHBZ#2195957 -------------------------------------------------------------------------------- References:
[ 1 ] Bug #2195957 - Review Request: python-gbulb - GLib event loop for tulip (PEP 3156) https://bugzilla.redhat.com/show_bug.cgi?id=2195957 --------------------------------------------------------------------------------
================================================================================ python-pysqueezebox-0.5.5-11.fc38 (FEDORA-2023-1f06098c71) Python library to control Logitech Media Server -------------------------------------------------------------------------------- Update Information:
Security fix for CVE-2023-49081, CVE-2023-49082. Update `python-aiohttp` to 3.9.1. Patch `python-pysqeezebox` and `python-wled` so they do not have an implicit dependency on `python-async-timeout` via `python-aiohttp`. https://github.com/aio-libs/aiohttp/releases/tag/v3.9.0 https://github.com/aio- libs/aiohttp/releases/tag/v3.9.1 -------------------------------------------------------------------------------- ChangeLog:
* Sat Dec 2 2023 Benjamin A. Beasley code@musicinmybrain.net - 0.5.5-11 - Add explicit async-timeout dependency * Fri Jul 21 2023 Fedora Release Engineering releng@fedoraproject.org - 0.5.5-10 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild * Thu Jun 29 2023 Python Maint python-maint@redhat.com - 0.5.5-9 - Rebuilt for Python 3.12 -------------------------------------------------------------------------------- References:
[ 1 ] Bug #2252236 - TRIAGE CVE-2023-49081 python-aiohttp: aiohttp: HTTP request modification [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2252236 [ 2 ] Bug #2252249 - TRIAGE CVE-2023-49082 python-aiohttp: aiohttp: CRLF injection if user controls the HTTP method using aiohttp client [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2252249 [ 3 ] Bug #2253439 - python-pysqueezebox: Please merge rawhide back to f39 and f38 https://bugzilla.redhat.com/show_bug.cgi?id=2253439 [ 4 ] Bug #2253440 - python-wled: Please merge rawhide back to f39 and f38 https://bugzilla.redhat.com/show_bug.cgi?id=2253440 [ 5 ] Bug #2254945 - deprecation warning: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal https://bugzilla.redhat.com/show_bug.cgi?id=2254945 --------------------------------------------------------------------------------
================================================================================ python-qudida-0.0.4-1.fc38 (FEDORA-2023-c315502be4) QuDiDA (QUick and DIrty Domain Adaptation) -------------------------------------------------------------------------------- Update Information:
``` * Sat Dec 30 2023 Onuralp Sezer thunderbirdtr@fedoraproject.org - 0.0.4-1 - initial package ``` -------------------------------------------------------------------------------- ChangeLog:
* Sat Dec 30 2023 Onuralp Sezer thunderbirdtr@fedoraproject.org - 0.0.4-1 - initial package --------------------------------------------------------------------------------
================================================================================ python-wled-0.4.4-11.fc38 (FEDORA-2023-1f06098c71) Python client for WLED -------------------------------------------------------------------------------- Update Information:
Security fix for CVE-2023-49081, CVE-2023-49082. Update `python-aiohttp` to 3.9.1. Patch `python-pysqeezebox` and `python-wled` so they do not have an implicit dependency on `python-async-timeout` via `python-aiohttp`. https://github.com/aio-libs/aiohttp/releases/tag/v3.9.0 https://github.com/aio- libs/aiohttp/releases/tag/v3.9.1 -------------------------------------------------------------------------------- ChangeLog:
* Sat Dec 2 2023 Benjamin A. Beasley code@musicinmybrain.net - 0.4.4-11 - Backport ���Replace async_timeout with asyncio.timeout���, PR#1163 * Fri Jul 21 2023 Fedora Release Engineering releng@fedoraproject.org - 0.4.4-10 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild * Thu Jun 29 2023 Python Maint python-maint@redhat.com - 0.4.4-9 - Rebuilt for Python 3.12 -------------------------------------------------------------------------------- References:
[ 1 ] Bug #2252236 - TRIAGE CVE-2023-49081 python-aiohttp: aiohttp: HTTP request modification [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2252236 [ 2 ] Bug #2252249 - TRIAGE CVE-2023-49082 python-aiohttp: aiohttp: CRLF injection if user controls the HTTP method using aiohttp client [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2252249 [ 3 ] Bug #2253439 - python-pysqueezebox: Please merge rawhide back to f39 and f38 https://bugzilla.redhat.com/show_bug.cgi?id=2253439 [ 4 ] Bug #2253440 - python-wled: Please merge rawhide back to f39 and f38 https://bugzilla.redhat.com/show_bug.cgi?id=2253440 [ 5 ] Bug #2254945 - deprecation warning: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal https://bugzilla.redhat.com/show_bug.cgi?id=2254945 --------------------------------------------------------------------------------
================================================================================ simpleini-4.22-1.fc38 (FEDORA-2023-3392a7bdc9) Cross-platform C++ library to read and write INI-style configuration files -------------------------------------------------------------------------------- Update Information:
update -------------------------------------------------------------------------------- ChangeLog:
* Sat Dec 30 2023 topazus topazus@outlook.com - 4.22-1 - initial import; rhbz#2256266 --------------------------------------------------------------------------------
================================================================================ timew-1.7.0-1.fc38 (FEDORA-2023-62a225d208) Timewarrior tracks and reports time -------------------------------------------------------------------------------- Update Information:
Update to 1.7.0: https://github.com/GothenburgBitFactory/timewarrior/blob/v1.7.0/ChangeLog -------------------------------------------------------------------------------- ChangeLog:
* Sun Dec 24 2023 Packit hello@packit.dev - 1.7.0-1 - [packit] 1.7.0 upstream release - Resolves rhbz#2255777 -------------------------------------------------------------------------------- References:
[ 1 ] Bug #2255777 - timew-1.7.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2255777 --------------------------------------------------------------------------------
================================================================================ wl-mirror-0.15.0-1.fc38 (FEDORA-2023-fdbd133dee) Simple Wayland output mirror client -------------------------------------------------------------------------------- Update Information:
Update to 0.15.0 -------------------------------------------------------------------------------- ChangeLog:
* Sat Dec 30 2023 Aleksei Bavshin alebastr@fedoraproject.org - 0.15.0-1 - Update to 0.15.0 --------------------------------------------------------------------------------
test-reports@lists.fedoraproject.org